Okay, NOW we're getting to some stuff that is distinct, but ... The problem for me is having solid evidence against a domain that was created 5 minutes ago, with forged or PrivacyGuard-ed credentials... Sometimes you just have to fall back to IP rep and header analysis. Or just say, "This was created 5 minutes ago..." and deal with it appropriately.
Probably a bigger issue for ESPs than those of us playing defense. Sometimes, for the guys we hunt, the only evidence is metadata. Aloha, Michael. -- Sent from my Windows Phone ________________________________ From: Neil Schwartzman<mailto:n...@cauce.org> Sent: 7/28/2016 7:14 AM To: mailop<mailto:mailop@mailop.org> Cc: Autumn Tyr-Salvia<mailto:tyrsal...@gmail.com> Subject: Re: [mailop] domain research tools? Domaintools has an API and, as noted reverse whois, alerts on brands, IPs, and nameservers. As well I’d add pDNS to your toolkit (Domaintools does NOT do passive). I recommend Zetalytics (April), a virustotal paid account & and Vixie’s offerings at Farsight Security. On Jul 28, 2016, at 9:57 AM, Ryan Harris via mailop <mailop@mailop.org<mailto:mailop@mailop.org>> wrote: Domaintools.com<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fdomaintools.com&data=02%7c01%7cmichael.wise%40microsoft.com%7c544b287025e449d972e908d3b6f1858c%7c72f988bf86f141af91ab2d7cd011db47%7c1%7c0%7c636053120872282404&sdata=5k%2b4%2fRylU3Te8fMN922k7CDre6smCxqyF9yI%2bx1v7UA%3d> is pretty nice. If you pay for their service they have a reverse whois that can show you other domains that are most likely connected to the shady domain you are looking at. Ryan On Thu, Jul 28, 2016 at 7:37 AM, Kurt Jaeger <mai...@opsec.eu<mailto:mai...@opsec.eu>> wrote: Hi! > Do you do any domain research in the course of your work? If so, what tools > do you use for research [...] http://www.domaintools.com/<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.domaintools.com%2f&data=02%7c01%7cmichael.wise%40microsoft.com%7c544b287025e449d972e908d3b6f1858c%7c72f988bf86f141af91ab2d7cd011db47%7c1%7c0%7c636053120872282404&sdata=GZSWE5AUterNhAGv6T84jU%2bargwEmwXUI0nVXvoG%2fwg%3d> has some services, for some EUR/$. -- p...@opsec.eu<mailto:p...@opsec.eu> +49 171 3101372<tel:%2B49%20171%203101372> 4 years to go ! _______________________________________________ mailop mailing list mailop@mailop.org<mailto:mailop@mailop.org> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=02%7c01%7cmichael.wise%40microsoft.com%7c544b287025e449d972e908d3b6f1858c%7c72f988bf86f141af91ab2d7cd011db47%7c1%7c0%7c636053120872282404&sdata=EKVUjl6C8SsHQGyV1QhUi1H2uSxwEoimi7oWeOe9TQU%3d> _______________________________________________ mailop mailing list mailop@mailop.org<mailto:mailop@mailop.org> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
